-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New safety checks on exclusions that could take a database unavailable #1292
Comments
Do we have a formal definition of what a desired database configuration should be? |
Multi-DC is good example. In general we should add checks in
|
The way we want to do this is by calling into something like |
When we're running in a multi-DC configuration, it's possible to run an exclusion that can take the database unavailable. For instance, if a database is configured to run satellite logs, but we exclude all of the satellite processes, the database would go unavailable. Should we add a safety check in the exclusion to prevent this kind of mistake?
On a related note, it's possible that an exclusion could put the database into a configuration that is viable but undesirable. For instance, if a database is configured to run 5 proxies, but we exclude all of the stateless class processes but 1, the database will go down to 1 proxy, and it will put that proxy on that single process along with all of the other stateless roles. Should we add safety checks for this kind of thing as well?
The text was updated successfully, but these errors were encountered: